utils/ovpn-client-management.sh

#! /bin/bash

# DESCRIPTION:
#   creating or deleting client config for openvpn
#   and
#   sending config and info to email
#
# DEPENDENCIES:
#   - chpasswd
#   - openvpn
#   - easy-rsa
#   - tar
#   - Python 3
#   - existing /usr/local/bin/sendmail.py
#
# PARAMETERS:
#   1: "add|del" - add or delete client config
#   2: username - client username
#   3: password - client password
#   -f - service will restart after username delete
#
# FUNCTIONS:
#

#######################################
# Print message and add to log.
# Globals:
#   logs
# Arguments:
#   1: message to print and logging
#######################################
addtologs() {
  echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}"
}

#######################################
# Exit procedure.
# Globals:
#   show
# Arguments:
#   None
#######################################
execquite() {
  addtologs "execution time is $(($(date +%s)-time)) seconds, exit"
  exit
}

#######################################
# Error exit procedure
# Globals:
#   None
# Arguments:
#   1: message to print and logging
#######################################
execerror() {
  addtologs "error: $1"
  execquite
}

#######################################
# Checking user rights.
# Globals:
#   None
# Arguments:
#   None
# return:
#   0 - if privileged rights, 1 - if not privileged rights
#######################################
checkroot() {
  if [ "${EUID}" -ne 0 ]; then
    return 1 # false
  else
    return 0 # true
  fi
}

#######################################
# Creating linux user
# Globals:
#   clientname
#   clientpass
# Arguments:
#   None
#######################################
createuser() {
  useradd "${clientname}" --shell /sbin/nologin
  echo "${clientname}:${clientpass}" | chpasswd
}

#######################################
# Creating Easy-RSA user certificate
# Globals:
#   easyrsadir
#   easyrsavar
#   easyrsaexe
#   easyrsacap
#   clientname
#   clientpass
# Arguments:
#   None
#######################################
# shellcheck disable=SC2016
createcert() {
    cd ${easyrsadir} || execerror ""
    sed -i -e '$aset_var EASYRSA_REQ_CN         '"${clientname}"'' ${easyrsavar}
    ${easyrsaexe} --passout=pass:"${clientpass}" --passin=pass:${easyrsacap} build-client-full "${clientname}"
    sed -i '/EASYRSA_REQ_CN/d' ${easyrsavar}
}

#######################################
# Creating ovpn config file
# Globals:
#   easyrsadir
#   ovpncfgdef
#   clientname
#   ovpncfgdir
# Arguments:
#   None
#######################################
createovpn() {
  cd ${easyrsadir} || execerror ""
  {
    cat "${ovpncfgdef}"
    echo -e '<ca>'
    cat "${easyrsadir}/pki/ca.crt"
    echo -e '</ca>\n<cert>'
    cat "${easyrsadir}/pki/issued/${clientname}.crt"
    echo -e '</cert>\n<key>'
    cat "${easyrsadir}/pki/private/${clientname}.key"
    echo -e '</key>\n<tls-auth>'
    cat "${easyrsadir}/pki/ta.key"
    echo -e '</tls-auth>'
  } >> "${ovpncfgdir}/${clientname}.ovpn"
}

#######################################
# Creating tar with config file
# Globals:
#   easyrsadir
#   clientname
#   ovpncfgdir
# Arguments:
#   None
#######################################
createtars() {
  cp "${ovpncfgdir}/${clientname}.ovpn" "${ovpncfgdir}/vpn.cnf"
  sed -i "s#auth-user-pass#auth-user-pass /config/openvpn/vpn.txt#g" ${ovpncfgdir}/vpn.cnf
  {
    echo -e "${clientname}"
    echo -e "${clientpass}"
  } >> "${ovpncfgdir}/vpn.txt"
  cd ${ovpncfgdir} || execerror ""
  tar cf "${clientname}.tar" --remove-files vpn.cnf vpn.txt
}

#######################################
# Creating info file
# Globals:
#   easyrsadir
#   easyrsaexe
#   clientname
#   ovpncfgdir
# Arguments:
#   None
#######################################
createinfo() {
  cd ${easyrsadir} || execerror
  validuntil=$(${easyrsaexe} show-cert "${clientname}" | grep "Not After" | cut -d: -f2-)

faqprofile=$(cat <<END
OpenVPN Connect client and installation instructions:
https://openvpn.net/vpn-client/
OpenVPN GUI client:
https://openvpn.net/community-downloads/

User Login: ${clientname}
User Password: ${clientpass}
Time Expired: ${validuntil}
END
)

  echo -e "${faqprofile}" > "${ovpncfgdir}/${clientname}.info"
}

#######################################
# Send email notification about client connect
# Globals:
#   clientname
#   faqprofile
#   ovpncfgdir
# Arguments:
#   None
#######################################
startsendmail() {
  subj="[OVPN Settings] $(cat /etc/hostname): ${clientname}.ovpn client profile"
  (
    python3 /usr/local/bin/sendmail.py \
    -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    --stls "True" \
    --subj "${subj}" \
    --text "${faqprofile}" \
    --file "${ovpncfgdir}/${clientname}.ovpn,${ovpncfgdir}/${clientname}.tar" \
    >> /dev/null 2>&1 &
  )
  addtologs "sent mail with subject '${subj}'"
}

#######################################
# Deleting linux user
# Globals:
#   clientname
# Arguments:
#   None
#######################################
deleteuser() {
  userdel -f -r "${clientname}"
}

#######################################
# Deleting Easy-RSA user certificate
# Globals:
#   easyrsadir
#   easyrsavar
#   easyrsaexe
#   easyrsacap
#   clientname
# Arguments:
#   None
#######################################
deletecert() {
    cd ${easyrsadir} || execerror
    ${easyrsaexe} --batch --passin=pass:${easyrsacap} revoke "${clientname}"
    ${easyrsaexe} --batch --passin=pass:${easyrsacap} gen-crl
}

#######################################
# Deleting ovpn config file
# Globals:
#   clientname
#   ovpncfgdir
# Arguments:
#   None
#######################################
deleteovpn() {
    rm -f "${ovpncfgdir}/${clientname}.ovpn"
}

#######################################
# Deleting tar with config file
# Globals:
#   clientname
#   ovpncfgdir
# Arguments:
#   None
#######################################
deletetars() {
  rm -f "${ovpncfgdir}/${clientname}.tar"
}

#######################################
# Deleting info file
# Globals:
#   clientname
#   ovpncfgdir
# Arguments:
#   None
#######################################
deleteinfo() {
  rm -f "${ovpncfgdir}/${clientname}.info"
}

#
# VARIABLES:
#

easyrsadir="/etc/openvpn/easy-rsa"
easyrsaidx="${easyrsadir}/pki/index.txt"
easyrsaexe="${easyrsadir}/easyrsa"
easyrsavar="${easyrsadir}/vars"
easyrsacap="openvpnca"
ovpncfgdir="/etc/openvpn/client"
ovpncfgdef="${ovpncfgdir}/client.conf.default"
logs=/var/log/openvpn/$(basename -s .sh "$0").log

clienttodo=$1
clientname=$2
clientpass=$3

time=$(date +%s)

#
# MAIN:
#

if checkroot; then
  if [ "${clienttodo}" == "add" ] && \
     [ -n "${clientname}" ] && \
     [ "${#clientpass}" -ge 8 ]; then
    if id -u "${clientname}" >/dev/null 2>&1 || \
       grep -w "${clientname}" ${easyrsaidx} || \
       [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then
      execerror "linux user or certificate or ovpn config exist, exit"
    else
      createuser && addtologs "created Linux user '${clientname}'"
      createcert && addtologs "created certificate for ${clientname}"
      createovpn && addtologs "created ovpn config file for ${clientname}"
      createtars && addtologs "created tar with config file for ${clientname}"
      createinfo && addtologs "created info file for ${clientname}"
      startsendmail
    fi
  elif [ "${clienttodo}" == "del" ] && [ -n "${clientname}" ]; then
    resetforce=0
    while :; do
      case "${3-}" in
      -f | --force)
        resetforce=1
        shift
        ;;
      *)
        break
        ;;
      esac
      shift
    done
    if id -u "${clientname}" >/dev/null 2>&1 || \
       grep -w "${clientname}" ${easyrsaidx} || \
       [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then
      deleteuser
      addtologs "deleted Linux user '${clientname}'"
      deletecert
      deleteovpn
      deletetars
      deleteinfo
      if [ "${resetforce}" -eq 1 ];then
        addtologs "restarting openvpn@server..."
        systemctl restart openvpn@server
      fi
    else
      execerror "linux user and certificate and ovpn config not exist, exit"
    fi
  else
    printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'password(not less 8 symbols)'"
    printf "%s\n" "Usage example: $0 'del' 'username(surname)'"
    printf "%s\n" "Usage example: $0 'del' 'username(surname)' -f"
  fi
else
  execerror "Restart this as root!"
fi
execquite
add scripts for ovpn 2023-04-13 13:29:49 +03:00			`#! /bin/bash`

			`# DESCRIPTION:`
			`# creating or deleting client config for openvpn`
			`# and`
			`# sending config and info to email`
			`#`
			`# DEPENDENCIES:`
			`# - chpasswd`
			`# - openvpn`
			`# - easy-rsa`
			`# - tar`
			`# - Python 3`
			`# - existing /usr/local/bin/sendmail.py`
			`#`
			`# PARAMETERS:`
			`# 1: "add\|del" - add or delete client config`
			`# 2: username - client username`
			`# 3: password - client password`
			`# -f - service will restart after username delete`
			`#`
			`# FUNCTIONS:`
			`#`

			`#######################################`
			`# Print message and add to log.`
			`# Globals:`
			`# logs`
			`# Arguments:`
			`# 1: message to print and logging`
			`#######################################`
			`addtologs() {`
			`echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" \| tee -a "${logs}"`
			`}`

			`#######################################`
			`# Exit procedure.`
			`# Globals:`
			`# show`
			`# Arguments:`
			`# None`
			`#######################################`
			`execquite() {`
			`addtologs "execution time is $(($(date +%s)-time)) seconds, exit"`
			`exit`
			`}`

			`#######################################`
			`# Error exit procedure`
			`# Globals:`
			`# None`
			`# Arguments:`
			`# 1: message to print and logging`
			`#######################################`
			`execerror() {`
			`addtologs "error: $1"`
			`execquite`
			`}`

			`#######################################`
			`# Checking user rights.`
			`# Globals:`
			`# None`
			`# Arguments:`
			`# None`
			`# return:`
			`# 0 - if privileged rights, 1 - if not privileged rights`
			`#######################################`
			`checkroot() {`
			`if [ "${EUID}" -ne 0 ]; then`
			`return 1 # false`
			`else`
			`return 0 # true`
			`fi`
			`}`

			`#######################################`
			`# Creating linux user`
			`# Globals:`
			`# clientname`
			`# clientpass`
			`# Arguments:`
			`# None`
			`#######################################`
			`createuser() {`
			`useradd "${clientname}" --shell /sbin/nologin`
			`echo "${clientname}:${clientpass}" \| chpasswd`
			`}`

			`#######################################`
			`# Creating Easy-RSA user certificate`
			`# Globals:`
			`# easyrsadir`
			`# easyrsavar`
			`# easyrsaexe`
			`# easyrsacap`
			`# clientname`
			`# clientpass`
			`# Arguments:`
			`# None`
			`#######################################`
			`# shellcheck disable=SC2016`
			`createcert() {`
			`cd ${easyrsadir} \|\| execerror ""`
			`sed -i -e '$aset_var EASYRSA_REQ_CN '"${clientname}"'' ${easyrsavar}`
			`${easyrsaexe} --passout=pass:"${clientpass}" --passin=pass:${easyrsacap} build-client-full "${clientname}"`
			`sed -i '/EASYRSA_REQ_CN/d' ${easyrsavar}`
			`}`

			`#######################################`
			`# Creating ovpn config file`
			`# Globals:`
			`# easyrsadir`
			`# ovpncfgdef`
			`# clientname`
			`# ovpncfgdir`
			`# Arguments:`
			`# None`
			`#######################################`
			`createovpn() {`
			`cd ${easyrsadir} \|\| execerror ""`
			`{`
			`cat "${ovpncfgdef}"`
			`echo -e '<ca>'`
			`cat "${easyrsadir}/pki/ca.crt"`
			`echo -e '</ca>\n<cert>'`
			`cat "${easyrsadir}/pki/issued/${clientname}.crt"`
			`echo -e '</cert>\n<key>'`
			`cat "${easyrsadir}/pki/private/${clientname}.key"`
			`echo -e '</key>\n<tls-auth>'`
			`cat "${easyrsadir}/pki/ta.key"`
			`echo -e '</tls-auth>'`
			`} >> "${ovpncfgdir}/${clientname}.ovpn"`
			`}`

			`#######################################`
			`# Creating tar with config file`
			`# Globals:`
			`# easyrsadir`
			`# clientname`
			`# ovpncfgdir`
			`# Arguments:`
			`# None`
			`#######################################`
			`createtars() {`
			`cp "${ovpncfgdir}/${clientname}.ovpn" "${ovpncfgdir}/vpn.cnf"`
			`sed -i "s#auth-user-pass#auth-user-pass /config/openvpn/vpn.txt#g" ${ovpncfgdir}/vpn.cnf`
			`{`
			`echo -e "${clientname}"`
			`echo -e "${clientpass}"`
			`} >> "${ovpncfgdir}/vpn.txt"`
			`cd ${ovpncfgdir} \|\| execerror ""`
			`tar cf "${clientname}.tar" --remove-files vpn.cnf vpn.txt`
			`}`

			`#######################################`
			`# Creating info file`
			`# Globals:`
			`# easyrsadir`
			`# easyrsaexe`
			`# clientname`
			`# ovpncfgdir`
			`# Arguments:`
			`# None`
			`#######################################`
			`createinfo() {`
			`cd ${easyrsadir} \|\| execerror`
			`validuntil=$(${easyrsaexe} show-cert "${clientname}" \| grep "Not After" \| cut -d: -f2-)`

			`faqprofile=$(cat <<END`
			`OpenVPN Connect client and installation instructions:`
			`https://openvpn.net/vpn-client/`
			`OpenVPN GUI client:`
			`https://openvpn.net/community-downloads/`

			`User Login: ${clientname}`
			`User Password: ${clientpass}`
			`Time Expired: ${validuntil}`
			`END`
			`)`

			`echo -e "${faqprofile}" > "${ovpncfgdir}/${clientname}.info"`
			`}`

			`#######################################`
			`# Send email notification about client connect`
			`# Globals:`
			`# clientname`
			`# faqprofile`
			`# ovpncfgdir`
			`# Arguments:`
			`# None`
			`#######################################`
			`startsendmail() {`
			`subj="[OVPN Settings] $(cat /etc/hostname): ${clientname}.ovpn client profile"`
			`(`
			`python3 /usr/local/bin/sendmail.py \`
			`-u "$(grep "from=" /usr/local/bin/sendmail.config \| cut -d= -f2)" \`
			`-p "$(grep "pass=" /usr/local/bin/sendmail.config \| cut -d= -f2)" \`
			`-d "$(grep "dest=" /usr/local/bin/sendmail.config \| cut -d= -f2)" \`
			`--smtp "$(grep "smtp=" /usr/local/bin/sendmail.config \| cut -d= -f2)" \`
			`--port "$(grep "port=" /usr/local/bin/sendmail.config \| cut -d= -f2)" \`
			`--stls "True" \`
			`--subj "${subj}" \`
			`--text "${faqprofile}" \`
			`--file "${ovpncfgdir}/${clientname}.ovpn,${ovpncfgdir}/${clientname}.tar" \`
			`>> /dev/null 2>&1 &`
			`)`
			`addtologs "sent mail with subject '${subj}'"`
			`}`

			`#######################################`
			`# Deleting linux user`
			`# Globals:`
			`# clientname`
			`# Arguments:`
			`# None`
			`#######################################`
			`deleteuser() {`
			`userdel -f -r "${clientname}"`
			`}`

			`#######################################`
			`# Deleting Easy-RSA user certificate`
			`# Globals:`
			`# easyrsadir`
			`# easyrsavar`
			`# easyrsaexe`
			`# easyrsacap`
			`# clientname`
			`# Arguments:`
			`# None`
			`#######################################`
			`deletecert() {`
			`cd ${easyrsadir} \|\| execerror`
			`${easyrsaexe} --batch --passin=pass:${easyrsacap} revoke "${clientname}"`
			`${easyrsaexe} --batch --passin=pass:${easyrsacap} gen-crl`
			`}`

			`#######################################`
			`# Deleting ovpn config file`
			`# Globals:`
			`# clientname`
			`# ovpncfgdir`
			`# Arguments:`
			`# None`
			`#######################################`
			`deleteovpn() {`
			`rm -f "${ovpncfgdir}/${clientname}.ovpn"`
			`}`

			`#######################################`
			`# Deleting tar with config file`
			`# Globals:`
			`# clientname`
			`# ovpncfgdir`
			`# Arguments:`
			`# None`
			`#######################################`
			`deletetars() {`
			`rm -f "${ovpncfgdir}/${clientname}.tar"`
			`}`

			`#######################################`
			`# Deleting info file`
			`# Globals:`
			`# clientname`
			`# ovpncfgdir`
			`# Arguments:`
			`# None`
			`#######################################`
			`deleteinfo() {`
			`rm -f "${ovpncfgdir}/${clientname}.info"`
			`}`

			`#`
			`# VARIABLES:`
			`#`

			`easyrsadir="/etc/openvpn/easy-rsa"`
			`easyrsaidx="${easyrsadir}/pki/index.txt"`
			`easyrsaexe="${easyrsadir}/easyrsa"`
			`easyrsavar="${easyrsadir}/vars"`
			`easyrsacap="openvpnca"`
			`ovpncfgdir="/etc/openvpn/client"`
			`ovpncfgdef="${ovpncfgdir}/client.conf.default"`
			`logs=/var/log/openvpn/$(basename -s .sh "$0").log`

			`clienttodo=$1`
			`clientname=$2`
			`clientpass=$3`

			`time=$(date +%s)`

			`#`
			`# MAIN:`
			`#`

			`if checkroot; then`
			`if [ "${clienttodo}" == "add" ] && \`
			`[ -n "${clientname}" ] && \`
			`[ "${#clientpass}" -ge 8 ]; then`
			`if id -u "${clientname}" >/dev/null 2>&1 \|\| \`
			`grep -w "${clientname}" ${easyrsaidx} \|\| \`
			`[ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then`
			`execerror "linux user or certificate or ovpn config exist, exit"`
			`else`
			`createuser && addtologs "created Linux user '${clientname}'"`
			`createcert && addtologs "created certificate for ${clientname}"`
			`createovpn && addtologs "created ovpn config file for ${clientname}"`
			`createtars && addtologs "created tar with config file for ${clientname}"`
			`createinfo && addtologs "created info file for ${clientname}"`
			`startsendmail`
			`fi`
			`elif [ "${clienttodo}" == "del" ] && [ -n "${clientname}" ]; then`
			`resetforce=0`
			`while :; do`
			`case "${3-}" in`
			`-f \| --force)`
			`resetforce=1`
			`shift`
			`;;`
			`*)`
			`break`
			`;;`
			`esac`
			`shift`
			`done`
			`if id -u "${clientname}" >/dev/null 2>&1 \|\| \`
			`grep -w "${clientname}" ${easyrsaidx} \|\| \`
			`[ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then`
			`deleteuser`
			`addtologs "deleted Linux user '${clientname}'"`
			`deletecert`
			`deleteovpn`
			`deletetars`
			`deleteinfo`
			`if [ "${resetforce}" -eq 1 ];then`
			`addtologs "restarting openvpn@server..."`
			`systemctl restart openvpn@server`
			`fi`
			`else`
			`execerror "linux user and certificate and ovpn config not exist, exit"`
			`fi`
			`else`
			`printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'password(not less 8 symbols)'"`
			`printf "%s\n" "Usage example: $0 'del' 'username(surname)'"`
			`printf "%s\n" "Usage example: $0 'del' 'username(surname)' -f"`
			`fi`
			`else`
			`execerror "Restart this as root!"`
			`fi`
			`execquite`